2 Corporate governance and internal control
2.4 Recent internal control developments in the US
Internal control in the United States is currently strictest in the world and has a very formal approach to internal control, where non-compliance is not an option (comply-or-explain -principle effectively leaves the option not to comply in the EU). Developments in the US are closely watched and monitored by legislators around the world due to the influence of the US and its different approach in matters internal control.
There was a great deal of disagreement at the turn of the decade 1980-1990 on the quality of corporate governance mechanisms employed in the US, for example Romano (1993, pp. 1-5) suggested that as the United States corporate law was largely a matter of the states, not dictated by federal law, corporate law should have been a matter of competition between the states. According to the product market competition theory this should have then led to a level of regulation in corporate governance that would be optimal for both the company and investors, not forcing extraneous costs for either key participants, effectively mitigating material agency costs. Jensen (1989, pp. 67-68) meanwhile underlines the hefty premium (averaging 50 % above market price) that was paid in leveraged buyouts and takeovers, which illustrates the value public-company managers can destroy before they face a serious threat of disturbance.
Jensen also stressed the need for internal control in companies that have no little outside forces to steer for good corporate governance: they dominate their product markets, have low debt ratios and enough self-financing not to be notably controlled by lenders. (Jensen, 1989, pp. 73-74)
There were hardly any major accounting scandals during the 1990’s in the US as economy was booming. The turn of the century however triggered a series of bankruptcies that changed the landscape of corporate governance in the United States. Coffee (2005, pp. 1-2) suggests that accounting scandals typically surface as bubbles burst, which is exactly what happened in the early 2000’s when the IT bubble burst. The most notorious of the failures in the US were those of Enron 2001, Worldcom 2002 and Tyco 2002. The public outcry that resulted from these consecutive major accounting scandals in the beginning of the 21st century was met with tightening of corporate governance norms and transparency requirements in the United States, as the Sarbanes-Oxley Act (SOX) was enacted in 2002, surprisingly quickly, as Brickey points out (2003, p. 2).
The downfall of Enron and Arthur Andersen became the very symbol of 21st century US accounting fraud and corporate greed due to their massive scale and the two companies’ willingness to risk everything for financial gain. The incident served also a wake-up call for the tightening of corporate governance requirements in the USA, as the law is in many respects a mirror image of Enron’s perceived shortcomings, addressing the board’s management supervision and monitoring problems, identifying conflicts of interest as the root cause for such problems according to Deakin and Konzelmann (2003, pp. 1; 13). The Act also enhances criminal fraud penalties in the hope that it would deter personnel from engaging in such activities (Brickey, 2003, pp. 19-22).
The Sarbanes-Oxley Act was first and foremost enacted in order to calm down the public and the stock market, tightening requirements concerning corporate governance, ethics and transparency. The Act is arguably the strictest legislation in the world regarding the disclosure of information on internal control, corporate governance compliance and overall mandatory oversight of publicly traded companies. Internal control requirements in Section 404 of the Act has been at the heart of the SOX controversy due to its specific nature which corporate world feels is overly laborious and expensive to fulfil when compared with perceived gains. In 2003, the Securities Exchange Commission of the United States (SEC, 2003) published the final ruling on implementing Section 404, which has been consequently in effect from the year 2004.
Section 404 dictates that a variety of issues on financial reporting internal control and risk management that need to be periodically addressed, reported, reviewed and auditor attested. Directly related, section 302 requires among other things that management disclose any significant internal control deficiencies when certifying annual or quarterly financial
statements (Zhang et al., 2007, pp. 302 – 304; SEC, 2002; SEC, 2003).
Internal control reporting in the pre-SOX era was not compulsory, which is arguably the primary reason internal control was ineffective in uncovering malfeasance in the early 2000’s accounting scandals. The SOX Act now sets vastly higher standards on corporate transparency and control. Shapiro and Matson (2008, pp. 222-225) assert that the situation is better post-SOX, but also say that the Act will fail to achieve its full potential and risk turning into symbolic theatre if there is not enough resources to properly monitor and enforce the new requirements by the authorities.
The new standards require more work, which translates as increase in direct costs, as for example Arping and Sautner (2013, pp. 1133-1136) point out.
According to their study the new requirement of internal control assessments from both management and independent auditors result higher mandatory control costs. The initial impact for a majority of companies that the Sections 404 and 302 concern seems to be an increase in direct monitoring costs. Most companies view these costs as superfluous, while there are also ardent proponents of the new tighter internal control regime. This has only naturally sparked a wide spectrum of controversy over the balance of benefits and costs resulting from the increase in regulation.
Market liberals have been making most noise against the new regulations, claiming the law to be too hastily drafted and being too costly when compared with the benefits. There seems to be a sentiment among the opponents of the law that product market competition will do a better job of enhancing corporate governance than regulation - some are even calling for the repeal of the Act. For example concerning the requirement to disclose internal control weaknesses, Ogneva et al. (2007, pp. 1255-1258) argue that companies which have reported internal control weaknesses have not paid significantly higher price for equity, even in the most egregious of cases. Representing a starker view, Romano (2005, pp. 9-12; 215-216)
implies that SOX is a purely bureaucratic exercise and completely alienated from real-life business, as the new demands leave companies very little leeway, unnecessarily imposing excessive extraneous costs. According to her, the Act should be repealed and that other countries should see SOX as a warning example of over-regulation. A less stark view, Ribstein (2002, p.
68-69) suggests that SOX could not have prevented Enron or the like as even back then existing regulatory framework was breached and the culprits were determined to ignore the risks of their actions. Ribstein implies that
“promoting more independent monitors with lower-powered incentives to scrutinize the actions of highly informed and motivated insiders cannot solve this problem” and as at the time the SOX Act was just enacted and its implications were not apparent he asserted that the costs of increased regulation could be “significant”.
Proponents of the new regulatory regime defend the strict requirements by underlining the improvements in transparency, accountability and comparability of companies. The pro-side also argues that the regulation does not impose irrelevant expenditure on companies, instead it has value for the company and its stakeholders. For example Leuz (2007, p.147) has demonstrated in his study that the new legislation does not impose significant new net expenditure on companies that are well governed to begin with. A study by Ashbaugh-Skaife et al. (2008, pp. 247-248) concentrated on the quality of reporting accruals by comparing companies with SOX defined “internal control deficiencies” to those without. Their study suggests that ICDs have significant impact on the accrual quality of the companies as companies that reported ICDs had larger abnormal accruals and greater noise in their accrual reporting, indicating a better level of quality in financial reporting by companies that had been deemed to have sufficient internal controls by their management and auditors.
The price of non-compliance and poor corporate governance can be very high. In January 2004 Adecco, a Switzerland-based company providing HR-solutions, hit the headlines as auditors refused to sign off on their 2003 accounts, citing “material weaknesses in internal controls in its North American operations”. Investigation of the matter led to the loss of reputation and ruined the company’s market capitalization. Direct cost to the company was over 100 million USD and took over 160 000 hours of forensic accounting work. Irony of the investigation results was that no material accounting irregularities were found. The company’s internal controls were merely so poor in certain areas that the auditors refused to sign off on the financial statements (Renes, 2008, p.4). The auditor reaction was a direct consequence of tighter corporate governance rules, primarily SOX sections 302 and 404 which require the company’s management and auditor to certify that the company’s internal control is adequate as well as disclose any internal control weaknesses upon releasing annual and quarterly financial statements. SOX had been in effect for only two years at the time while Section 404 had just come to force. It can be then assumed that Adecco had not reacted adequately to the new regulations, apparently assuming that the ambiguous assessments of internal control previously accepted would suffice, with expensive consequences.